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Abstract 

As  mobile  devices  pervade  physical  space,  the  familiar  authentication  patterns  are  becoming  insufficient: 
besides  entity  authentication,  many  applications  require,  e.g.,  location  authentication.  Many  interesting 
protocols  have  been  proposed  and  implemented  to  provide  such  strengthened  forms  of  authentication,  but 
there  are  very  few  proofs  that  such  protocols  satisfy  the  required  security  properties.  In  some  cases,  the 
proofs  can  be  provided  in  the  symbolic  model.  More  often,  various  physical  factors  invalidate  the  perfect 
cryptography  assumption,  and  the  symbolic  model  does  not  apply.  In  such  cases,  the  protocol  cannot  be 
secure  in  an  absolute  logical  sense,  but  only  with  a  high  probability.  But  while  probabilistic  reasoning 
is  thus  necessary,  the  analysis  in  the  full  computational  model  may  not  be  warranted,  since  the  protocol 
security  does  not  depend  on  any  computational  assumptions,  or  on  attacker’s  computational  power,  but 
only  on  some  guessing  chances. 

We  refine  the  Dolev-Yao  algebraic  method  for  protocol  analysis  by  a  probabilistic  model  of  guessing,  needed 
to  analyze  protocols  that  mix  weak  cryptography  with  physical  properties  of  nonstandard  communication 
channels.  Applying  this  model,  we  provide  a  precise  security  proof  for  a  proximity  authentication  protocol, 
due  to  Hancke  and  Kuhn,  that  uses  probabilistic  reasoning  to  achieve  its  goals. 

Keywords:  security  protocol,  pervasive  authentication,  symbolic  model,  Bayesian  reasoning,  distance 
bounding 


1  Introduction 

Two  paradigms  of  security.  Traditionally,  two  paradigms  have  been  used  for 
proving  protocol  security.  The  first  one,  captured  by  the  symbolic  model,  commonly 
known  as  “Dolev-Yao” ,  describes  both  protocol  and  attacker  in  terms  of  an  algebraic 
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theory  [14].  While  this  has  been  criticized  as  crude,  it  is  often  highly  effective  and 
easily  automated.  The  other  paradigm,  captured  by  the  computational  model, 
usually  relies  on  some  notion  of  indistinguishability  from  the  point  of  view  of  a 
computationally  limited  attacker  [18].  Recently,  a  lot  of  research  [3,32],  starting 
with  [1],  has  been  devoted  to  drawing  the  two  paradigms  closer  together.  This 
strategy  has  generally  been  to  rely  upon  crypto-algorithms  that  themselves  satisfy 
strong  enough  definitions  of  security,  so  that,  if  used  in  the  proper  way,  they  can  be 
treated  as  Dolev-Yao  “black  boxes”. 

Problem  of  pervasive  security.  However,  there  is  an  emerging  class  of  security 
protocols  for  which  it  seems  difficult  to  bring  these  two  paradigms  together.  Such 
protocols  arise  in  heterogenous  networks  of  diverse  computational  and  communica¬ 
tion  devices,  with  mixed  type  channels  between  them  [34].  Nowadays  ubiquitous, 
such  networks  can  be  viewed  as  a  realization  of  Doug  Engelbart’s  visionary  idea  of 
smart  space  and  pervasive  computation  [16].  The  spatial  aspects  of  computation 
give  rise  to  a  new  family  of  security  problems,  where  the  standard  authentication 
requirements  need  to  be  strengthened  by  proofs  of  spatial  proximity.  In  some  cases, 
it  has  been  possible  to  refine  symbolic  methods  to  get  stronger  proofs  [23,30].  But 
there  are  other  cases  that  resist  symbolic  analysis. One  such  case  is  the  Hancke- 
Kuhn  distance  bounding  protocol  [21],  which  we  analyze  in  the  present  paper.  The 
protocol  consists  of  a  timed  challenge-response  exchange  in  which  a  prover  Peggy 
needs  to  convince  a  verifier  Victor  that  she  is  in  the  vicinity.  Peggy’s  rapid  re¬ 
sponse  to  Victor’s  challenge  is  implemented  using  a  rapidly  computable  function. 
The  requirement  that  the  function  must  be  rapidly  computable  turns  out  to  weaken 
it  cryptographically.  One  of  the  main  requirements  of  cryptographic  strength  is 
diffusion:  for  a  boolean  function,  each  bit  of  the  output  should  depend  on  each 
bit  of  the  input.  But  such  a  function  is  not  rapidly  computable.  The  other  way 
around,  an  on-line  function,  that  produces  its  output  while  still  receiving  its  in¬ 
put,  is  easier  to  compute,  but  cannot  be  cryptographically  strong.  So  there  is  a 
tradeoff  between  cryptographic  strength  and  rapid  computability.  We  explore  this 
tradeoff  in  Sec.  5,  and  quantify  the  information  leakage  of  on-line  functions.  The 
Hancke-Kuhn  protocol  is  based  on  such  a  function. 

Already  in  the  original  presentation  [21]  of  their  protocol,  Hancke  and  Kuhn 
wrote  down  an  estimate  of  the  attacker’s  chance  to  guess  a  response  bit.  However, 
besides  attempting  to  guess  some  bits  of  the  response,  the  attacker  may  also  attempt 
to  guess  the  secret  on  which  the  response  is  based.  Moreover,  he  may  attempt  his 
guesses  directly,  or  make  use  of  the  responses  stored  from  other  sessions.  Last  but 
not  least,  he  may  collude  with  Peggy.  Towards  a  precise  security  proof,  the  diverse 
strategies  available  to  the  attacker  must  be  evaluated  together,  and  exhaustively. 
This  requires  a  formal  model  of  protocol  execution. 

Bayesian  security.  But  what  model  to  use?  The  symbolic  model  cannot  be 
used  because  the  perfect  cryptography  assumption  is  not  validated  by  the  on-line 
function,  which  is  the  central  feature  of  the  protocol.  On  the  other  hand,  the 
cryptographic  strength  and  weakness  of  this  function,  and  the  resulting  security  and 
insecurity  of  their  protocol,  does  not  have  anything  to  do  with  any  computational 


assumptions,  or  with  the  computational  power  of  the  adversary:  it  only  depends  on 
guessing  chances,  which  cannot  be  essentially  increased  by  computational  power. 
Thus  using  the  computational  model  does  not  contribute  to  the  analysis  of  the 
central  feature  of  the  protocol,  although  it  does  apply  to  any  implementation. 

The  most  natural  model  for  analyzing  the  Hancke-Kuhn  protocol  that  we  came 
up  with  extends  the  symbolic  model  by  a  rudimentary  probabilistic  theory  of  guess¬ 
ing.  It  retains  the  perfect  cryptography  assumption  for  the  standard  cryptographic 
primitives  used  in  the  protocol,  in  particular  for  the  keyed  hash  function.  In  a 
probabilistic  context,  though,  the  perfect  cryptography  assumption  means  that  the 
output  distributions  of  the  relevant  cryptographic  primitives  are  statistically  indis¬ 
tinguishable  from  the  uniform  distribution.  Assuming  this  for  the  hash  function 
used  in  the  protocol  brings  us  close  to  the  random  oracle  assumption,  often  used 
in  computational  analyses  [4].  There  is  a  sense  in  which  the  random  oracle  as¬ 
sumption  can  be  construed  as  the  probabilistic  version  of  the  perfect  cryptography 
assumption. 

In  summary,  we  contend  that  the  simplest  model  capturing  the  central  features 
of  the  Hancke-Kuhn  authentication  protocol  must  be  probabilistic,  but  need  not 
be  computational.  The  probabilistic  model  that  we  propose  is  an  extension  of  the 
symbolic  theories  used  in  our  previous  work  [22,8,24].  On  the  other  hand,  a  ver¬ 
sion  of  the  standard  computational  model  can  be  obtained  as  an  extension  of  this 
probabilistic  model  (by  distinguishing  a  submonoid  of  feasible  functions  within  our 
monoid  of  randomized  boolean  functions).  It  should  be  noted  that  these  logical 
maps  between  the  models  go  in  the  opposite  direction  from  those  in  the  explo¬ 
rations  of  the  computational  soundness  of  the  various  fragments  of  the  symbolic 
model  [1,3,32].  In  such  explorations,  the  symbolic  languages  are  mapped  (inter¬ 
preted)  in  the  computational  language;  here,  a  more  concrete  model  is  mapped 
onto  a  more  abstract  model,  which  is  its  quotient,  just  like  blocks  of  low-level  code 
are  mapped  onto  the  expressions  of  a  high-level  programming  language,  or  like 
more  concrete  state  machines  are  mapped  on  more  abstract  state  machines  [25,26]. 
It  follows  that  anything  proven  about  the  abstract  model  remains  valid  about  its 
more  concrete  implementations:  e.g.,  the  Bayesian  reasoning  about  secrecy  remains 
valid  in  the  computational  model  —  provided  that  the  assumed  randomness  of  the 
hash  function  can  be  validated.  This  proviso  is,  of  course,  not  satisfied  in  practice, 
since  cryptographic  hash  functions  are  not  truly  random.  The  task,  thus,  remains 
to  strengthen  or  refine  the  reasoning  as  to  be  able  to  discharge  such  unrealistic  as¬ 
sumptions.  This  logical  strategy  was  discusssed  in  [22,8].  While  not  widely  accepted 
in  security,  this  is  a  standard  approach  to  refinement  based  software  development: 
e.g.,  Euclid’s  algorithm  is  usually  described  assuming  the  ring  of  integers;  but  the 
assumption  that  there  are  infinitely  many  integers  must  be  discharged  before  the 
algorithm  is  implemented  in  a  real  computer. 

The  space  does  not  allow  us  to  delve  into  the  details  of  this  approach,  as  applied 
to  security.  They  will  be  presented  elsewhere.  In  the  present  paper,  we  attempt  to 
present  a  very  special  instance  of  this  approach,  where  a  modest  probabilistic  ex¬ 
tension  of  the  symbolic  model  suffices  for  the  problem  at  hand  —  yet  it  leads  to  an 


essentially  different  reasoning  framework,  with  bayesian  derivations  instead  of  logi¬ 
cal.  The  resulting  technical  divergence,  mitigated  by  the  conceptual  guidance  from 
the  underlying  simpler  model,  should  be  viewed  as  one  of  the  main  features  of  the 
incremental  approach,  pursued  in  the  Protocol  Derivation  Logic  (PDL)  [22,8,24]. 
In  [23],  PDL  was  already  used  to  analyze  distance  bounding  protocols,  similar  to 
Hancke-Kuhn’s,  and  for  reasoning  about  pervasive  security  in  general.  An  inter¬ 
esting  feature  of  the  current  probabilistic  extension  of  PDL  is  that  the  concept  of 
guards^  originally  developed  for  reasoning  about  secrecy  [24] ,  now  provides  a  crucial 
stepping  stone  into  our  analysis  of  guessing  chances,  and  of  the  concrete  authenti¬ 
cation  guarantees  in  the  Hancke-Kuhn  protocol  in  Sec.  6,  as  well  as  in  the  abstract 
view  of  symbolic  authentication  in  Thm.  3.4. 

Related  work.  As  already  mentioned,  the  closest  relative  of  the  PDL  formalism, 
underlying  this  work,  and  briefly  summarized  in  Sec.  3,  is  PCL  [15,11,10].  Both  for¬ 
malisms  owe  a  lot  to  strand  spaces  [17],  in  spirit,  and  in  execution  models,  although 
the  logical  methods  diverge.  Our  probabilistic  extension  of  PDL  is  predated  by  the 
probabilistic  extension  of  PCL  in  [12],  and  by  the  probabilistic  extension  of  strand 
spaces  in  [20].  But  each  of  the  three  probabilistic  approaches  has  a  different  intent, 
and  a  completely  different  implementation,  conceptually  and  technically.  It  would 
be  interesting  to  explore  these  differences  more  closely,  as  some  tasks  may  yield  to 
combined  modeling  methods. 

Paper  outline.  The  paper  continues  with  a  review  of  distance  bounding  authenti¬ 
cation,  and  a  description  of  the  Hancke-Kuhn  protocol.  In  Sec.  3  we  provide  a  brief 
overview  of  the  derivational  method  of  protocol  analysis,  and  of  PDL.  We  also  re¬ 
call  the  algebraic  notions  of  derivability  and  guards,  originally  used  for  derivational 
analyses  of  secrecy,  and  here  adapted  for  authenticity.  The  probabilistic  versions 
of  these  notions  are  introduced  in  Sec.  4,  and  then  used  to  model  guessing.  The 
gathered  tools  are  then  put  to  use.  In  Sec.  5,  we  analyze  the  information  leakage 
of  on-line  functions  in  general,  and  characterize  the  Hancke-Kuhn  function  among 
them.  In  Sec.  6,  we  quantify  the  authentication  achieved  in  the  Hancke-Kuhn  pro¬ 
tocol.  Sec.  7  closes  the  paper  with  a  summary  of  the  results  and  a  discussion  of  the 
extensions.  All  proofs  are  in  the  Appendix. 


2  The  Hancke-Kuhn  protocol 

2. 1  Background 

In  a  man-in-the-middle  attack  on  a  challenge-response  protocol,  the  attacker  relays 
messages,  sometimes  modified,  between  the  legitimate  participants.  If  resending  a 
message  takes  time,  the  legitimate  participants  may  observe  slower  traffic.  This  has 
been  proposed  as  a  method  to  prevent  man-in-the-middle  attacks.  In  particular,  the 
challenger  can  measure  the  presumed  round  trip  of  his  challenge  and  of  responder’s 
response,  and  compute  a  maximal  distance  of  the  responder,  assuming  an  upper 
bound  on  the  message  velocity.  This  can  assure  the  authenticity  of  the  response, 
if  it  is  known  that  the  attacker  cannot  be  too  close.  This  is  the  idea  of  distance 


bounding  [13,5].  The  early  security  analyses  of  distance  bounding  protocols  go  back 
to  the  early  1990s  [6].  The  interest  in  this  type  of  authentication  re-emerged  recently, 
with  the  task  of  device  pairing  and  a  genuine  need  for  proximity  authentication  in 
pervasive  networks.  From  the  outset,  the  basic  idea  of  distance  bounding  was  to 
combine  some  cryptographic  authentication  tools,  such  as  hashes  or  signatures,  with 
a  physical  constraint,  such  as  the  limited  speed  of  message  exchange.  Most  distance 
bounding  protocols  [6,7,23]  implement  this  combination  by  using  two  channel  types: 
the  standard  network  channels  for  the  cryptographic  authentication,  and  the  timed 
channels  for  the  rapid  response.  The  Hancke-Kuhn  protocol  [21]  stands  out  by  it 
simplicity,  and  by  the  fact  that  both  cryptographic  data  and  the  rapid  response 
are  sent  on  the  timed  channel.  This,  however,  comes  for  the  price  of  information 
leakage,  which  makes  the  security  analysis  interesting. 


2.2  The  protocol 


As  mentioned  before,  the  goal  of  the  Hancke-Kuhn  protocol  is  that  the  prover  Peggy 
proves  to  the  verifier  Victor  that  she  is  nearby.  It  is  assumed  that  Peggy  and  Victor 
share  a  long  term  secret  s,  and  a  public  hash  function  H.  The  relevant  security 
requirement  from  H  will  turn  out  to  be  a  version  of  the  range  preimage  resistance 
[29].  The  simplest  way  to  present  a  protocol  session  is  to  view  it  in  two  stages. 

In  the  first  stage,  Peggy  and  Victor  exchange  values  a  and  6,  which  can  be 
predictable  for  the  attacker,  but  must  never  be  reused  by  Peggy  and  Victor  in  more 
than  one  protocol  session.  The  values  a  and  b  can  thus  be  viewed  as  counters. 


Fig.  1.  Hancke-Kuhn  protocol:  Second  Stage 


In  the  second  stage,  Peggy  and  Victor  both  form  the  hash  h  =  H{s  ::  a  ::  b) 
and  proceed  with  the  exchange  on  Fig.  1.  If  Victor’s  challenge  x  =  (xj)  €  Z2 
is  a  bitstring  of  length  i,  then  the  hash  h  should  be  2i  bits  long  which  we  view 
as  a  concatenation  h  =  ::  h^^'>  G  of  two  strings  of  I  bits.  The  function 

ffl  :  Z2  X  7^2  — ^2  defined  bitwise  for  i  =  1,  2, . . .  ,  I"  by 

(x  ffl /i)*  = /if  (1) 

To  summarize  Fig.  1, 

•  Victor  generates  a  random  bitstring  x  of  length  t,  and  sends  each  bit  Xj  of  x  at 
times  Tj. 


•  To  each  bit  Xj,  Peggy  responds  with  if  Xi  =  0,  and  with  if  Xi  =  1. 

•  Victor  receives  Peggy’s  i-th  bit  response  at  time  r*.  He  knows  h  as  well,  and 
can  check  that  these  responses  are  correct.  If  only  he  and  Peggy  know  h,  then 
the  responder  must  be  Peggy.  He  then  uses  the  times  between  the  sending  the 
challenges  and  receiving  the  responses,  together  with  the  velocity  of  the  message 
signal,  to  compute  his  distance  from  Peggy. 

2.3  Discussion 

Leaking  information  to  the  attacker.  The  crucial  component  of  the  protocol 
is  the  Hancke-Kuhn  function  ffl.  Its  main  feature  is  that  it  is  rapidly  computable, 
as  efficiently  as  the  exclusive  or  ©.  It  is  thus  as  suitable  for  timed  authentication 
as  ©,  but  it  also  leaks  information,  although  less  than  ©:  while  x  and  x  (B  g  allow 
extracting  g  because  g  =  x  (B  x  (B  g,  x  and  xS  h  allow  extracting  only  half  of  the 
bits  of  h.  However,  it  is  easy  to  see  from  (1)  that  from  x,  and  x  ffl  h,  and  moreover 
(-■x)  ffl  h,  the  attacker  can  extract  all  of  h.  That  is  why  Peggy  and  Victor  must  not 
reuse  their  counters,  li  h  =  H{s  a  h)  can  be  used  in  two  responses,  then  an 
attacker  can  challenge  Peggy  twice,  first  with  x  and  then  with  -ix,  and  thus  get  xffl/i 
and  (“'x)  ffl  h  as  the  two  responses.  From  this,  he  can  extract  h  and  impersonate 
Peggy  to  Victor.  Even  if  the  counters  are  never  reused,  the  fact  that  half  of  the 
response  bits  can  be  acquired  by  an  attacker  needs  to  be  carefully  examined,  and 
his  chances  to  guess  the  rest  evaluated. 

Overlooked  assumption.  Hancke  and  Kuhn’s  estimate  that  the  probability  that 
an  attacker  may  succeed  in  impersonating  Peggy  is  relies  on  the  implicit 

assumption  that  |x|  <  |s|.  Otherwise,  if  |x|  >  |s|,  the  attacker  has  better  odds  to 
guess  s  than  x.  In  practice,  of  course,  the  assumption  |x|  <  |s|  is  usually  satisfied, 
because  the  secret  s  is  usually  at  least  256  bits  long,  while  the  challenge  x  may 
be  shorter.  Strictly  speaking,  though,  the  impression  that  protocol’s  security  only 
depends  on  the  length  of  the  challenge  x  is  not  correct,  since  a  short  secret  s  would 
make  it  vulnerable. 

Dishonest  prover  and  the  kernel.  Another  interesting  weakness  is  that  the 
value  of  Peggy’s  i-th  response  bit  (x  ffl  h)i  does  not  depend  on  x*  if  .  A 

dishonest  Peggy  can  thus  analyze  the  hash  h  and  respond  without  waiting  for  Xj 
whenever  hf'^  =  ■  If  the  response  time  is  averaged,  she  is  likely  to  appear  closer 

to  Victor  than  she  really  is. 

Since  Victor’s  counter  b  is  predictable,  Peggy  can  attempt  to  choose  her  own 
counter  a  to  maximize  the  size  of  the  kernel  nh  oi  h  =  H (s  ::  a  ::  b),  defined 

Kh  =  {i  <  i  \  hf'"*  =  (2) 

The  larger  the  kernel,  the  closer  Peggy  can  appear  to  Victor.  However,  the  problem 
of  finding  a  value  a  such  that,  for  a  fixed  s  and  6,  the  image  H{s  ::  a  ::  b)  has  a 
desired  property  is  a  version  of  the  range  preimage  problem  [29].  The  assumption 
that  FI  is  a  hash  function,  and  in  particular  that  it  is  a  one-way  function,  implies 
that  dishonest  Peggy’s  advantage  in  finding  a  preimage  o  such  that  H{s  ::  a  ::  b), 


given  s  and  b,  falls  within  a  desired  range  of  strings  with  a  large  kernel,  is  negligible. 
This  means  that  dishonest  prover’s  manipulation  of  the  kernel  is  unfeasible. 

Further  ad  hoc  observations  get  more  complicated,  without  providing  any  defi¬ 
nite  assurances.  This  demonstrates  the  need  for  a  rigorous  analysis  within  a  formal 
model. 

Modeling  the  essence  of  the  Hancke-Kuhn  protocol.  The  assumption  that 
H  is  a  one-way  function  will  turn  out  to  be  the  only  point  where  the  security  of 
the  Hancke-Kuhn  protocol  depends  on  computation.  All  other  attack  strategies 
only  involve  guessing  chances.  To  show  this,  in  the  following  sections  we  introduce 
a  probabilistic  (Bayesian)  protocol  model,  which  strictly  extends  the  standard  al¬ 
gebraic  (symbolic)  model,  and  is  a  strict  fragment  of  the  standard  computational 
model.  The  hash  H  is  modeled  as  a  randomized  function,  as  defined  in  Sec.  4. 
The  perfect  cryptography  assumption  of  the  symbolic  model  lifts  in  our  Bayesian 
model  to  the  assumption  that  the  hashes  are  truly  random,  which  is,  of  course, 
analogous  to  the  random  oracle  assumption  in  the  computational  model.  It  allows 
us  to  abstract  away  the  generic  and  negligible  vulnerabilities,  and  to  focus  on  the 
interesting  aspects  of  the  security  of  the  Hancke-Kuhn  protocol,  achieved  in  spite 
of  the  cryptographic  weakness  of  the  ffl  function  as  it  central  feature. 

3  Algebraic  protocol  models 

We  analyze  the  Hancke-Kuhn  protocol  by  the  derivational  method.  The  varied  ver¬ 
sions  of  this  method  have  been  applied  to  many  protocols  [15,22,8,11,10].  While  the 
algebraic  protocol  model  suffices  in  most  cases,  the  Hancke-Kuhn  protocol  requires 
an  evaluation  of  guessing  chances.  We  attempt  to  find  a  simple  model  that  will 
allow  this. 

3.1  Message  algebras 

In  the  Dolev-Yao  protocol  model,  messages  are  represented  as  terms  of  a  free  algebra 
of  encryption  and  decryption  operations  [14].  More  general  algebraic  models  allow 
additional  operations,  and  additional  equations  [9].  Recall  that  an  algebraic  theory 
is  a  pair  {0,E),  where  O  is  a  set  of  finitary  operations  (given  as  symbols  with 
arities),  and  E  a  set  of  well- formed  equations  (i.e.  where  each  operation  has  a 
correct  number  of  arguments)  [19]. 

Definition  3.1  An  algebraic  theory  T  =  {0,E)  is  called  a  message  theory  if  O 
includes  a  binary  pairing  (— ,  — )  operation,  and  the  unary  operations  vri  and  1x2  such 
that  E  contains  the  equations  7Ti{u,  v)  =  u,  tt2{u,  v)  =  v,  and  {{x,  y) ,  z)  =  {x,  {y,  z)). 
A  message  algebra  is  a  polynomial  extension  T[A’]  of  a  T -algebra  T. 

Remarks.  The  third  equation  implies  that  there  is  a  unique  re-tupling  operation 
for  every  n.  The  first  two  imply  that  the  components  of  any  tuple  can  be  recovered. 
A  polynomial  extension  E[X]  is  the  free  T-algebra  generated  by  adjoining  a  set  of 
indeterminates  A  to  a  T-algebra  T  [19,  §8].  The  elements  x,y,z  . . .  of  A  are  used  to 
represent  nonces  and  other  randomly  generated  values.  This  is  justified  by  the  fact 


that  indeterminates  can  be  consistently  renamed:  nothing  changes  if  we  permute 
them.  That  is  just  the  property  required  from  the  random  values  generated  in  a 
run  of  a  protocol  ^  . 

3. 2  Protocol  models 

There  are  several  protocol  modeling  formalisms  that  can  be  used  for  protocol  deriva¬ 
tions.  The  process  calculus  in  [15,11]  was  designed  specihcally  for  this  purpose. 
Strand  spaces  [17]  were  designed  for  a  different  purpose,  but  they  can  be  adapted  for 
protocol  derivations  too.  In  [22,8,24]  we  used  partially  ordered  multisets  (pomsets) 
of  actions  [27],  which  allow  simple  tool  support  [2].  We  stick  with  this  approach, 
but  the  subtle  (or  in  some  cases  not  so  subtle)  differences  between  these  approaches 
are  of  no  consequence  here.  For  completeness,  we  provide  a  brief  overview.  For 
more  detail,  the  reader  may  want  to  consult  some  of  the  mentioned  references. 

In  all  cases,  the  set  of  actions  A  is  generated  over  the  message  algebra  T[T’]  by  a 
grammar  allowing  each  term  t  G  T[T’]  to  be  sent  in  the  action  (t)  G  A,  and  received 
in  the  action  (t)  G  A.  Moreover,  an  indeterminate  x  a  A  can  be  introduced  into  a 
protocol  by  the  binding  action  (ux)  G  A,  which  is  read  as  ’’generate  fresh  x” . 

Challenge-response 


V 

ux 

1 

(cY^x)  - 

p 

-  ((A^x)) 

(r  ^ 

Px) 

Fig.  2.  CR  template 


Fig.  2  shows  the  abstract  challenge-response  protocol  template,  where  the  verifier 
I/ictor  authenticates  the  prover  Peggy.  It  is  assumed  that  only  Peggy  is  able  to 
transform  the  fresh  challenge  c^^x  into  the  response  r^^x.  This  assumption  is 
construed  as  a  constraint  on  the  operations  and  r^^ .  The  actions  ((t)),  and 
((t))  are  syntactic  sugar  for  “send  (resp.  receive)  a  message  from  which  anyone  can 
extract  t”. 


3.3  Views,  derivability  and  guards 

As  usual,  the  communication  channels  are  assumed  to  be  controlled  by  the  attacker: 
she  observes  all  sent  messages,  and  controls  their  delivery.  However,  she  may  not 


^  Of  course,  this  is  not  the  only  requirement  imposed  on  nonces  and  random  values.  The  other  requirement 
is  that  they  are  known  only  locally,  i.e.  by  those  principals  who  generate  them,  or  who  receive  them 
unencrypted.  This  requirement  is  not  formalized  within  the  algebra  of  messages,  but  by  the  binding  rules 
of  process  calculus  or  actions  by  which  the  messages  are  sent  [11,24]. 


be  able  to  invert  all  operations,  and  she  has  no  insight  into  the  fresh  or  secret  data 
of  other  principals.  Hence  the  different  views  of  the  various  protocol  participants. 

A  state  a  reached  in  a  protocol  execution  is  a  lower  closed  pomset  of  actions 
executed  up  to  that  point,  with  an  assignment  of  values  to  principals’  local  variables, 
which  they  use  to  store  messages  and  their  local  computations.  The  view  Tp  of  a 
principal  P  at  a  state  a  consists  of  all  terms  that  P  may  have  observed  up  to  a, 
and  all  terms  that  she  could  derive  from  that.  Formally,  this  last  clause  means  that 
Fp  is  upper  closed  under  the  derivability  relation 

S  h  0  Vt  e  0  G  3si,...,Sn  e  E.  t  =  ip{si,. . .  ,Sn)  (3) 

where  H,  0  C  T[X]  are  finite  sets  of  terms,  0^”^  is  the  set  of  well-formed  n-ary 
operations  in  the  signature  O,  and  the  equation  is  derivable  from  E. 


Authentication  by  challenge-response 

The  challenge-response  protocol  in  Fig.  2  validates  authentication  if  Victor  is  justi¬ 
fied  in  drawing  a  global  conclusion  from  his  local  observation:  i.e.,  having  observed 
his  own  actions  in  on  the  left,  Victor  should  have  good  reasons  to  conclude  that 
Peggy  must  have  performed  her  actions  on  the  right,  and  that  all  these  actions 
should  be  ordered  as  on  the  hgure.  Intuitively,  this  conclusion  of  Victor’s  can  be 
justified  by  the  assumptions  that 

(i)  anyone  who  originated  the  response  had  to  previously  receive  the  chal¬ 

lenge  c^^x,  which  could  only  happen  after  Victor  sent  this  challenge; 

(ii)  no  one  could  produce  r^^x  without  knowing  the  secret  s^^,  so  it  must  be 
Peggy. 

This  last  conclusion  is  based  on  the  assumption  that  only  Peggy  knows  s^^,  or  only 
Peggy  and  Victor.  In  both  cases,  Victor’s  reasoning  is  the  same,  because  he  knows 
that  he  did  not  send  r^^x. 

Using  the  derivability  relation,  these  informal  justihcations  can  be  refined  into 
slightly  more  formal  proof  obligations  in  terms  of  (3),  as  follows.  For  any  set  of 
principals  H,  it  is  required  that 

(i)  whenever  there  is  a  derivation  H  h  r^^x,  then  there  must  also  be  a  derivation 
E  h  c^^x,  for  any  set  of  terms  E  observed  by  H  in  a  run  of  CR  before  r^^x  is 
sent; 

(ii)  whenever  there  is  a  derivation  E,  c^^x  h  r^^x,  then  there  must  also  be  a 
derivation  H,  c^^x  h  for  any  set  of  terms  E  known  to  H  in  a  run  of  CR 
before  r^^x  is  sent. 

This  type  of  authentication  reasoning  can  be  formalized  using  the  notion  of 
guards  from  [24]. 

Definition  3.2  We  say  that  a  set  of  sets  of  terms  Q  algebraically  guards  a  term 
t  with  respect  to  a  set  of  terms  T,  and  write  Q  guards  t  within  T  if  for  all  H  C  T holds 


Eht^BTeg.  Hhr 


(4) 


Explanation.  We  say  that,  in  a  context  C,  Q  guards  t  if  every  computation  path 
to  t  leads  through  some  element  of  Q.  In  other  words,  if  E  allows  computing  t,  then 
it  is  ’’because”  it  allows  computing  some  of  t’s  guards  from  Q. 

Example.  Let  T  =  (DH)  be  the  set  of  terms  that  may  become  known  to  the 
participants  and  eavesdroppers  of  a  run  of  the  Diffie-Hellman  protocol.  Then 

{{x,g^},{y,g^}}  guards  within  (DH) 

Note  that  g^^  can  be  derived  not  only  from  {x,  g^}  and  {y,  g^}  but  also  from  {g,  x,  y} 
and  {g,xy}‘,  however,  neither  of  these  sets  can  occur  in  a  run  of  the  Diffie-Hellman 
protocol  between  two  honest  principals,  so  they  are  not  contained  in  the  set  T  = 
{DH). 

Definition  3.3  Let  Q  be  a  protocol  run,  and  A  a  set  of  actions  in  Q.  The  term 
context  is  the  set 

Q{A)  =  IJ  r^p  u 

Pen 

where  H  is  the  set  of  principals  engaged  in  the  run,  Tp  is  the  set  of  terms  known 
to  a  principal  P  initially,  and  Tp^  is  the  set  of  terms  known  to  P  before  any  of  the 
actions  a  €  A  are  executed  in  Q. 

Using  the  guard  relation,  we  can  prove  that  the  challenge-response  protocol 
validates  authentication. 

Theorem  3.4  Let  Q  be  a  run  of  the  challenge-response  protocol  on  Fig.  2.  Suppose 
that  the  functions  c^^  and  r^^  satisfy 

s'^^}|  guards  within  Q{H^x) 

where  s^^  is  a  secret  known  only  to  Peggy  (and  possibly  to  Victor).  Then  Victor  is 
justified  in  drawing  the  following  global  conclusion  from  his  local  observations: 

V  :  (px)y  l>  (c^^x)y  t>  {r^^x)v 

{{vx)v  >  {c^^x)v  0  {{c^^x))p  >  {{r^^x))j*  >  (r^^x)y^  (cr) 

where  the  relation  a>b  says  that  action  a  occurs  before  action  b,  and  denotes 

the  first  time  P  sends  message  m  after  creating  it. 

The  proof  of  this  theorem  is  obtained  by  expanding  the  definition  of  the  guard 
relation  and  analyzing  the  term  context  of  the  challenge-response  protocol.  Several 
examples  of  reasoning  with  this  relation  can  be  found  in  [24]. 

Comment  about  perfect  cryptography.  The  algebraic  guard  relation  is  based 
on  the  assumption  that  a  term  can  only  be  derived  algebraically,  using  the  given 
operations  and  equations.  A  term  t  thus  either  lies  in  a  subalgebra  generated  by  a 
set  of  terms  H,  or  not,  and  we  have  H  h  t  V  E\/  t.  This  means  that  the  attacks 
on  the  implementation  of  the  term  t  are  abstracted  away.  In  particular,  we  assume 


that  it  is  impossible  to  cryptanalyze  the  bitstrings  representing  t,  and  to  derive  t 
by  accumulating  partial  information  about  it.  In  other  words,  we  assume  perfect 
cryptography. 

Moreover,  we  assume  that  the  algebraic  derivations  H  h  t  only  use  the  equations 
specihed  in  the  given  algebraic  theory  T  =  {0,E).  This  means  that  the  message 
algebra  T  is  assumed  to  be  a  free  T-algebra,  or  that  it  is  computationally  unfeasible 
for  the  attacker  to  find  any  additional  equations  that  T  satisfies,  not  specihed  in 
the  theory  T,  and  to  use  them  in  his  derivations.  This  is  roughly  the  pseudo-free 
algebra  assumption  [28]. 

Can  we  apply  Thm.  3.4  to  the  Hancke-Kuhn  protocol?  The  Hancke-Kuhn 
protocol  on  Fig.  1  is  obviously  a  timed  version  of  the  challenge  response  template 
from  Fig.  2,  for  which  Thm.  3.4  provides  a  general  security  claim.  If  the  guard 
condition  holds,  then  the  Theorem  yields  the  security  of  the  Hancke-Kuhn  protocol. 

In  the  algebraic  model,  the  attacker  at  a  given  state  either  knows  a  term,  or 
not.  As  explained  in  Sec.  2,  the  attacker  on  the  Hancke-Kuhn  protocol  may  always 
obtain  half  of  the  bits  of  the  secret  shared  by  Victor  and  Peggy  by  challenging  her. 
Does  this  mean  that  the  attacker  gets  to  know  the  secret?  If  not,  then  the  guard 
condition  is  satisfied.  To  apply  Thm.  3.4,  we  should  thus  set  up  the  algebraic  model 
so  that  a  term  is  known  only  when  all  of  its  bits  are  known. 

Howeber,  the  same  security  proof  would  also  hold  for  a  modihed  version  of  the 
Hancke-Kuhn  protocol,  e.g.  where  x  ffl  /i  =  if  x  =  a  and  x  ffl  /i  =  otherwise, 
for  some  fixed  a  G  The  attacker  still  cannot  algebraically  derive  the  term  x  ffl  h 
without  X,  because  this  term  still  depends  on  x.  The  guard  condition  holds,  and 
thus  the  protocol  is  algebraically  secure.  In  reality,  though,  the  attacker  who  always 
responds  with  will  succeed  with  a  probability  greater  than  1  —  2“^,  assuming 
that  the  challenge  x  is  drawn  uniformly.  The  algebraic  security  of  the  Hancke-Kuhn 
type  of  protocols  is  not  very  realistic. 


4  Protocol  models  with  guessing 

In  this  section  we  propose  a  probabilistic  rehnement  of  the  guard  relation,  which 
captures  and  quantifies  just  the  partial  information  leaks,  like  the  one  in  the  Hancke- 
Kuhn  protocol,  without  adding  any  unnecessary  conceptual  machinery. 


f.l  Implementing  and  guessing  messages 

In  order  to  reason  about  the  feasibility  of  the  algebraic  operations  on  messages, 
and  about  guessing,  we  consider  the  implementations  of  the  messages  t  G  T  in 
an  algebra  D  of  strings,  which  carries  the  structure  of  a  message  T-algebra,  and 
moreover  set  of  randomized  functions. 

For  concreteness,  we  assume  that  D  =  Z2  is  the  set  of  bitstrings.  However, 
any  graded  free  monoid  would  do,  since  the  only  operations  that  we  use  are  the 
concatenation  and  the  length. 


4.1.1  Implementing  messages 

Let  iL  be  a  partially  ordered  set.  We  call  an  infinitely  increasing  chain  ho  <  hi  < 
/i2  <  •  •  •  in  H  a  H -tower.  We  denote  by  the  set  of  towers  in  H. 

Any  free  monoid  H  is  partially  ordered  by  the  prefix  relation 

a  C  6  3c  €  n.  a  ::  c  =  6 

where  a  ::  c  can  be  viewed  as  the  concatenation  of  the  strings  a  and  c.  We  call  fl- 
towers  streams.  They  are  just  infinite  sequences  of  strings,  strictly  extending  each 
other:  a  stream  is  a  sequence  a  =  ^  such  that  a^  C  a^+i  for  all  i.  A 

stream  a  is  called  an  t'-stream  if  the  length  of  ^-th  element  is  exactly  \a£\  =  1.  The 
set  of  streams  through  H  is  denoted  by 

N  can  be  viewed  as  the  special  case,  since  a  natural  number  can  be  viewed  as  a 
string  of  Is.  The  set  consists  of  strictly  increasing  sequences  of  natural  numbers. 

Definition  4.1  Let  X  be  a  set  of  indeterminates.  Its  strength  is  a  map  |  — |  :  A  — s- 
assigning  to  each  indeterminate  x  for  each  value  of  the  security  parameter  £  G  N 
the  required  length  \x\i  G  N. 

An  environment  is  a  partial  map  rj  :  X  ^  such  that  \r](x)i\  =  \x\i  whenever 
r]{x)(:  is  defined. 

An  implementation  of  a  T -algebra  T  is  an  injective  T -algebra  homomorphism 

I-J  : 

An  environment  and  an  implementation  induce  a  T -algebra  homomorphism 
:  T[X^]  — >  ,  where  X^j  C  X  is  the  domain  of  definition  of  rj.  We  call 

this  homomorphism  an  implementation  too  whenever  it  is  injective. 

The  implementation  of  the  algebra  T  assigns  a  unique  string  to  each  term.  By 
definition  of  the  polynomial  algebra  T[A,y] ,  every  algebra  homomorphism  T  — >  IL  to 
another  algebra  U,  and  a  function  — >  U  induce  a  unique  algebra  homomorphism 
T[A^]  ^  U. 

Since  any  algebraic  operation  on  H  lifts  to  a  pointwise  operation  over  any  power 
n"",  it  also  lifts  to  streams.  So  is  also  a  T-algebra,  and  a  monoid  for  (elementwise) 
concatenation.  ^ 

Notation.  When  confusion  seems  unlikely,  we  ignore  the  difference  between  the 
indeterminates  x,y . . .  €  X  and  their  environment  values  r]{x),r]{y) ...  G  ff. 

4.1.2  Randomized  functions 
Consider  the  set  of  partial  functions 

n  =  {f  :  n  X  VI  --  n  \\/x'ipi\/p2.f{pi,a)  [  a  f{p2W)  i  ^  \pi\  =  \P2\} 

where  f{p,  a)  [  means  that  /  is  defined  on  p,  a,  and  \p\  is  the  length  of  the  bitstring 
p.  The  set  7^  is  a  monoid  with  the  following  composition  operation 

f°g{p2  ■■■  pi,a)  =  f{p2,g{pi,a)) 
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Grading  is  not  an  algebraic  operation,  and  it  does  not  lift:  the  length  of  each  stream  is  infinite. 


and  with  the  function  t  (o,  a)  =  a  as  the  unit,  where  o  denotes  the  empty  string. 
We  interpret  the  elements  of  TZ  as  randomized  functions  over  Q:  the  first  argument 
p  represents  the  random  seed,  and  the  second  argument  a  is  the  actual  input.  The 
output  fa  can  then  be  viewed  as  a  random  variable  with  the  probability  distribution 

Prob(/a  =  6)  =  *lp\fM  =  t)  (5) 

where  r  is  the  length  of  all  p  for  which  f(p,  a)  is  defined.  Leaving  the  seed  implicit, 

TZ 

we  denote  randomized  functions,  as  presented  in  TZ,  in  the  form  /  :  n  — >  fl. 

Definition  4.2  A  stream  of  functions  is  a  sequence  f  =  {fe}e£N  S  TZ^  which  is 
monotone,  in  the  sense  that  for  all  streams  a,  p  G  at  every  £  G  N  holds 

fi{pi,ai)  i  A  /£+i(/9£+i, a^+i)  j  feipe,ae)  C  a^+i) 

We  denote  the  monoid  of  streams  of  functions  by  TZ^ . 

4-1.3  Indistinguishability 

Surviving  the  flood  of  negligible  factors.  Every  subterm  of  every  term  in  every 
security  protocol  can  in  principle  be  guessed.  Such  probabilities  are  usually  tolerably 
small:  they  are  negligible  functions  of  some  security  parameter  i.  In  probabilistic 
analyses,  it  is  often  convenient  to  ignore  such  events  of  negligible  probability.  In 
a  protocol  analysis,  tracking  all  terms  and  subterms  that  can  be  guessed  with  a 
negligible  probability  can  lead  to  a  lengthy  list,  without  revealing  anything  non- 
negligible.  In  this  section,  we  provide  an  underpinning  for  formal  probabilistic 
reasoning  up  to  negligible  factors. 

The  frequencies  of  events  are  established  by  repeated  sampling.  The  number  of 
samples  needed  for  a  reasonable  estimate  depends  on  a  priori  chance  that  the  event 
will  occur.  If  this  chance  is  I  in  n,  then  the  number  of  the  needed  sample  is  an 
increasing  function  of  n. 

When  sampling  a  stream  a  =  we  assume  that  a  reasonable  amount 

of  samples  should  not  be  greater  than  q{i),  where  g  is  a  function  from  a  rig® 
Q  C  N^.  In  cryptography  it  is  customary  to  take  Q  =  N[x],  the  polynomials  with 
non-negative  integer  coefficients.  Streams  are  thus  sampled  a  polynomial  number 
of  times.  If  the  probability  that  the  difference  between  and  b^  will  be  detected  in 
q{£)  samples  remains  small  for  all  £,  then  a  =  and  b  =  are  considered 

indistinguishable.  In  other  words,  a  and  b  are  indistinguishable  if  the  probability 
that  a£  and  bi  are  different  is  less  than  for  all  q  G  Q.  Now  we  formalize  this 
intuition. 

Definition  4.3  A  function  v  :  N  — >  [0, 1]  is  said  to  be  Q-negligible  if  it  converges 
to  0  faster  than  for  all  q  G  Q,  i.e. 

\/q  G  Q  3n  G  'N  yi  >  n.  v{i)  < 

®  A  rig  Q  is  a  ’’ring  without  the  negatives”:  it  consists  of  two  commutative  monoid  structures,  (Q,+,0) 
and  (Q,  •,  1),  such  that  x-{y-\-z)  =  x-  y-\-x-z  and  a;  •  0  =  0. 


The  set  of  Q -negligible  functions  is  denoted  by  The  ordering  on  streams  a,b  ^ 
[0,1]^^  is  defined  up  to  negligible  functions,  i.e. 

a  <b  ae  +  ^{i)  <  b^ 

We  say  that  a,b  ^  [0, 1]^  are  Q-indistinguishable,  and  write  a  ^  b,  if  a  <  b  and 
b  <  a,  or  equivalently 

a  ^  b  3v\/£.  |a£  —  bi\  <  v{€} 

Assumption,  examples.  For  simplicity,  we  take  Q  to  be  the  rig  N[x]  of  polyno¬ 
mials  with  non- negative  integer  coefficients,  as  it  is  usually  taken  in  cryptography. 
Then,  e.g.,  for  a  =  and  b  =  holds  a  ~  0,  but  b  0,  where  0  is 

viewed  as  the  constrant  sequence. 

Definition  4.4  Streams  of  functions  f  and  g  are  indistinguishable  if  the  sequences 
Prob(/a  =  b)  and  Vxoh{ga  =  h)  are  indistinguishable  for  all  streams  a,b  ^  We 
abbreviate 

f  ^  g  Va6  G  Prob(/a  =  6)  ~  Prob(g'a  =  b) 

Definition  4.5  A  flow  is  an  equivalence  class  of  streams  of  randomized  functions. 
The  flow  monoid  TZ  is  thus 

n  =  TL^j  ~ 


]^.2  Probabilistic  derivability 

In  contrast  with  the  algebraic  derivability  relation  from  Sec.  3.3,  the  probabilistic 
derivability  relation  does  capture  partial  information  leaks,  using  the  implementa¬ 
tions  of  the  terms.  While  H  1/  0  may  happen  because  some  t  G  0  is  not  algebraically 
derivable  from  H,  it  may  be  easy  to  guess  many  bits  of  information  about  0  from  H. 
We  formalize  this  by  saying  that  for  some  stream  of  randomized  functions  /  G  7^, 
Prob(/|H]  =  [0])  is  high.  By  assumption,  the  messages  0  are  easily  decoded  from 
their  implementations  |0]].  So  if  some  /  is  likely  to  output  [0]  on  the  input  [HJ, 
then  the  chance  to  derive  0  from  H  is  high.  This  is  what  we  want  to  capture  by  the 
following  randomized  derivability  relation,  which  quantifies  guessing  chance. 

Let  T(H)  C  T  be  the  set  of  indeterminates  that  occur  in  H.  Any  minimal 
environment  i]  in  which  the  is  defined  must  be  defined  over  T(H).  Since  for 
each  i  the  required  number  of  bits  for  each  x  G  A’(H)  is  fixed  to  \x\i,  each  gi  must 
select  the  same  number  of  bits 

|A-(2)|,=  \x\, 

So  there  are  environments  to  interpret  H  for  the  security  parameter  1.  Our 

chance  to  guess  0  from  H  is  the  probability  that  a  flow  f  €  TZ  will  output  [OJtj  when 
given  the  input  [[H]],j,  for  the  random  choices  of  g.  Hence  the  following  definition. 

Definition  4.6  The  guessing  chance  [H  0]  is  the  stream  of  probabilities 


(6) 


r-  u  pi  _  \  /  I  fd^h  =  [©1^} 

H ^\t  V  2l'^(=-©)l^ 

hen 

viewed  up  to  indistinguishability. 

We  abbreviate  [0  h  0]  to  [0] . 

Since  the  functions  in  the  sequence  compute  on  streams  together 

they  form  a  stream  of  functions  /  G  i.e.  a  flow  /|H]]  =  0. 

Examples.  For  any  closed  term  t  G  T,  i.e.  such  that  W{t)  =  0,  it  holds  that 
[t]  =1.  To  see  this,  note  that  [[t]]  is  given  in  the  empty  environment  770,  and  thus 
X{t)  =  0  implies  |d:’(t)|£  =  0  for  all  i.  The  supremum  of  (6)  is  reached  at  the 
constant  function  stream  /()  =  [t],  and  gives  [t]  =  =  1. 

On  the  other  hand,  for  every  x  €  X  holds  [x]^  =  0.  There  are  exactly 
environments  px,  defined  on  x  alone.  To  guess  x  without  any  inputs,  we  need  a 
constant  flow  /,  such  that  /()  =  fxj  =  rjx{x),  i.e.  a  constant  stream  of  functions 
fli)  =  'gx{x)i-  Whichever  /  we  may  choose,  exactly  one  environment  px  will  give 
/()  =  Vxix).  So  for  every  constant  flow  /  holds  The 

supremum  in  (6)  is  thus  reached  for  all  constant  /  G  7t,  and  [x]^  =  But  the 

sequence  is  indistinguishable  from  0,  as  pointed  out  after  Def.  4.3. 

4-2.1  Subbayesian  reasoning  and  Advantage 
Proposition  4.7  For  all  sets  of  terms  H,  T,  0  holds 

[Hhr].[H,rh0]<[Hhr,0]  (7) 

When  [r]  >0,  it  follows  that 

[rh0]<£^  (8) 

The  inequalities  become  equalities  if  H  and  0  have  no  indeterminates  in  common. 

Definition  4.8  The  advantage  provided  by  a  set  of  terms  H  in  computing  the  terms 
0  is  the  value 

Adv[H  h  0]  =  [“  h  0]  -  [0] 

When  this  advantage  is  zero,  we  say  that  0  is  flow  independent  of  H,  and  write 
[“  T0]  ^  Adv[“  h  0]  =  0  ^  [“  h  0]  =  [0] 


4-3  Probabilistic  guards 

The  idea  of  the  guard  relation  is  that  a  term  t  is  guarded  by  one  of  the  guards  from 
Q  if  whenever  t  is  derived,  then  at  least  one  of  the  guards  T  G  is  also  derived. 
In  the  algebraic  model,  this  was  simple  enough  to  state  by  Definition  3.2.  When  t 
can  be  guessed,  then  this  crude  statement  needs  to  be  refined:  the  event  that  t  is 
guessed  must  be  preceded  by  the  event  that  some  T  G  ^  is  guessed. 

Definition  4.9  We  say  that  a  set  of  sets  of  terms  Q  guards  (against  guessing)  a 
term  t  with  respect  to  a  set  of  terms  T,  and  write  Q  guards  t  within  T  if  for  all  S  FT 


(9) 


such  that  Adv  [H  h  i]  >0  holds 

[=  h  t]  <  V  [H  I-  r] .  [s;,r  h  t] 

res 

Explanation.  In  the  algebraic  case,  (4)  was  an  attempt  to  capture  the  intuition 
that  Q  guards  t  if  all  computational  paths  to  t  lead  through  some  F  G  assuming 
the  context  C.  The  above  definition  extends  this  attempt  to  computational  paths 
with  guessing.  If  we  get  any  help  from  H  to  guess  t,  then  that  help  is  not  greater 
than  the  help  we  get  from  it  to  guess  some  guard  T  G  G  of  t  first,  and  then  to  guess 
t  from  this  guard.  Applied  to  message  theories  with  trivial  implementations  (e.g. 
with  n  =  1),  Def.  4.9  boils  down  to  Def.  3.2,  in  the  sense  that  the  guessing  chance 
is  always  constantly  0  or  constantly  1,  and  (9)  reduces  to  (4). 

To  simplify  notation,  we  elide  the  environment  subscripts  from  [— Jjj  whenever 
rj  is  inessential  for  the  argument. 

5  Partitioned  functions  and  ffl 

In  this  section  we  analyze  a  class  of  quickly  computable  functions,  like  the  one 
used  in  the  Hancke-Kuhn  protocol.  One  way  to  ensure  that  a  function  is  quickly 
computable  is  to  require  that  the  bit  dependency  of  its  outputs  from  its  inputs  must 
be  partitioned:  the  i-th  block  of  output  bits  should  only  depend  on  the  i-th  block 
of  input  bits.  Since  in  this  section  we  are  dealing  with  purely  random  input,  our 
results  are  presented  in  terms  of  streams,  not  flows. 

Definition  5.1  We  say  that  a  boolean  function  f  :  "Lff  — Hdf  partitioned  when 
m  =  mi  +  m2  +  ■  ■  ■  +  m^ 
n  =  m  +  n2  H - \-ne 

f  =  fi  ■■■■  f2  ■■■■  •••  ::  fi 

where  fi  :  Z™*  — >  for  i  =  1,2,...£  are  independent  on  the  inputs  and  the 

outputs  of  all  other  component  functions,  in  the  sense  that  [xj,  fi{xj)  T  fi{xi)~\ ,  where 

^  =  {j  <  j  +  i}- 

Clearly,  a  boolean  function  receiving  its  input  string  sequentially  can  already 
return  the  i-th  block  of  its  outputs  while  still  receiving  i  +  1st  block  of  the  inputs. 
Unfortunately,  this  convenient  property  also  decreases  cryptographic  strength  of 
the  function,  which  requires  that  each  bit  of  the  output  depends  on  each  bit  of  the 
input  [33].  In  particular,  knowing  a  value  f{z)  of  a  partitioned  function  increases 
the  chance  of  guessing  f{x).  We  make  this  precise  in  the  next  section. 

5. 1  Guessing  partitioned  functions 

Proposition  5.2  (a)  Let  f  be  a  randomized  partitioned  function,  and  let  x,z  €  Z™ 
be  fixed  bitstrings  with  a  common  block  Xi  =  Zi  ^  THf.  Then  [x,z,f{z)  \~  f{x)]  > 

2^71— m 

(b)  Let  f  :  Z^  — >  Z^  be  randomized  bitwise  partitioned,  i.e.  \mi\  =  jnij  =  1  for 


all  i  <  £.  Then  [x,z,f{z)  \~  f{x)]  >  2  where  A{x,z)  =  #{i|x  7^  z}  is  the 

Hamming  distance. 

A  consequence  of  Prop.  5.2  is  that  a  proximity  authentication  protocol,  im¬ 
plemented  using  a  partitioned  function  R  to  compute  the  response  r^^x  = 
R{s^^,c^^x),  cannot  be  secure  in  an  absolute  sense,  because  the  response  may 
be  guessed  with  a  non-negligible  probability  from  the  other  responses  r^^z.  More¬ 
over,  it  seems  that  the  attacker  can  always  obtain  some  other  responses  r^^z  by 
impersonating  Victor  and  issuing  challenges  c^^z. 

Lemma  5.3  A  randomized  boolean  function  f  :  Z2  — >  Z2  is  bitwise  partitioned  if 
and  only  if  for  every  x  €  Z2  it  holds  that 

/(x)=xffl(/(00  ::  /(!"))  (10) 

where  ffl  is  the  Hancke-Kuhn  function  (1),  and  0^,  1^  G  are  the  strings  of  Os  and 
Is,  respectively. 

Bitwise  partitioned  functions  with  a  minimal  guessing  probability  can  now  be 
completely  characterized:  they  turn  out  to  be  precisely  the  Hancke-Kuhn  functions 
(1)  for  which  the  values  at  0  and  at  1  are  independent. 

Proposition  5.4  Suppose  that  f  :  Z2  — Z2  is  a  randomized  bitwise  partitioned 
function  such  that  [x  _L  /(O^)  ::  /(l^)] .  Then  for  fixed  z  and  xGZ^.- 

[x,z,/(2)h/(x)]=2-^(^’")  (11) 

if  and  only  if  for  every  i  <  i  it  holds  that 

[/,(0)±/i(l)]  and  [/,(!)  A /i(0)]  (12) 

Remark.  In  a  sense,  x  ffl  (— )  :  Z^^  — >  Z2  is  thus  a  ”one-and-half-way  function”, 
since  x  ffl  /i  discloses  only  one  half  of  the  bits  of  h. 

On  the  other  hand,  (—)  S  h  :  Z2  — Z2  is  not  only  an  example  of  a  bitwise 
partitioned  function,  satisfying  the  needs  of  the  Hancke-Kuhn  protocol,  but  it  is  a 
canonical  way  to  represent  such  functions. 


5. 2  Guessing  xSh 


We  now  consider  the  probability  of  guessing  x  ffl  /i  given  various  sorts  of  information 
that  may  be  learned  in  the  Hancke-Kuhn  protocol. 

Definition  5.5  a)  For  x  G  Z2  and  I  C  £  =  {0, 1,2, ...  £  —  1}  we  define  x®^  G  Z^  to 
be  the  bit  string  obtained  by  replacing  for  all  i  ^  I  the  bits  xi  with  a  “wild  card”  ® 


j 


ifj  e  I 

otherwise 


b)  For  h  =  h^^'>  ::  h^^\  where  h^^\h^^^  G  Z2  we  define  the  kernel  Kh  to  be  the  set  of 
places  where  its  first  and  its  second  half  coincide,  e.g. 


Kh  =  {i  £  £  I 


We  make  use  of  these  definitions  in  the  following. 

Proposition  5.6  Suppose  that  h  the  concatenation  of  two  constant  i-bit  streams, 
and  X  is  a  uniformly  distributed  l-bit  stream.  Then 

(a)  [h  h 

(b)  [x,h^  xmh]^  =  [x®^^,  h  h  X  ffl  /i] 

The  following  lemma  concerns  the  problem  of  deriving  x  ffl  /i  from  z  ffl  /i  for  some 

Proposition  5.7  Let  h  be  the  concatenation  of  two  uniformly  distributed  i-bit 
streams,  let  x  be  a  uniformly  distributed  i-bit  stream,  and  let  z  be  any  i-bit  stream. 
Then  the  following  holds. 

[zSh\~xSh]^=[z,zSh\-xSh]^  = 

6  Security  of  Hancke-Kuhn 

We  quantify  the  security  of  the  Hancke-Kuhn  protocol  by  evaluating  Prob(crp),  i.e. 
the  probability  that  the  sequence  of  events  in  a  complete  protocol  run  validates  the 
following  reasoning  of  Victor’s 

V  :  {i'x)v  >  z{x)v  S  h)v 

vx)v  t>  t{x)v  0  (x)p  >  (x  ffl  /i)^  >  r(x  ffl  h)v^  (crp) 

corresponding  to  the  run  on  Fig.  1.  In  order  to  evaluate  this  probability,  we  an¬ 
alyze  the  probability  that  (crp)  fails.  How  can  it  happen  that  Victor  observes  a 
satisfactory  sequence  of  his  own  actions 

V  =  (i^x)\/ i>r(x)y  0  r  (x  ffl /i)y  (13) 

but  that  the  desired  run 

O  =  t{x)v  >  {x)p  >  {x  S  h)-^  >T  {x  S  h)y  (14) 

did  not  take  place?  There  are  just  two  possibilities: 

A:  the  responder  does  not  know  the  secret  s,  i.e.  he  is  the  ^Ittacker, 

S:  the  responder  knows  the  secret  s,  i.e.  he  is  Peggy,  but  the  response  is  sent  £’arly, 
without  receiving  the  challenge. 

The  remaining  case,  that  the  responder  is  Peggy,  and  she  responds  to  the  challenge, 
is  just  the  event  O.  Thus  -^O  =  AU  S.  It  follows  that 

Prob(crp)  =  Prob(C>|V)  =  1  —  Prob(.4  U  T|V) 

>  1  -  Prob(.4|V)  -  Prob(f  |V)  (15) 

The  (in)security  of  the  Hancke-Kuhn  protocol  thus  boils  down  to  evaluating 
Prob(.A|V)  and  Prob(f’|V).  The  following  lemmas  and  propositions  show  that  these 
probabilities  are  negligible.  The  proofs  are  in  the  Appendix. 


Response  token.  Recall  that  Peggy’s  response  token  h  =  H (s  ::  a  ::  b)  is  derived 
from  the  shared  secret  s,  Peggy’s  counter  a,  and  Victor’s  counter  b,  using  a  secure 
public  hash  function  H.  In  this  section,  h  abbreviates  H{s  ::  a  ::  b). 

Assumption  6.1  The  above  decomposition  of  as  A  U  £"  is  valid  only  if  /i  = 
H{s  ::  a  ::  b)  is  such  that 

•  |s|  |x|,  i.e.  attacker’s  chance  to  guess  the  secret  s  is  negligible  compared  with 

his  chance  to  guess  the  challenge  x; 

•  the  counters  a  and  b  are  never  reused  (although  they  may  be  predictable). 
Otherwise,  the  attacker  may  guess  h,  and  may  not  be  covered  hy  AU  £. 

6.1  Guards  in  undesired  runs 

In  order  to  evaluate  Prob(crp),  we  need  to  determine  the  probability  that  the  correct 
response  x  ffl  /i  is  guessed  in  the  undesired  runs  A  and  £.  Towards  this  goal,  we 
explore  what  can  be  guessed  in  the  term  contexts  (cf.  Def.  3.3)  A{x  ffl  h)  and  f’(x). 
The  following  lemmas  simplify  this  question. 

Lemma  6.2  (a)  Let  A  he  an  attack  run  with  a  long  term  secret  s,  Peggy’s  counter 

a,  Victor’s  counter  b,  and  Attacker’s  challenge  z,  for  which  he  obtains  the  response 
z  ffl  /i,  where  h  =  H (s  ::  a  ::  b) .  Then  for  any  H  C  A(x  ffl  h)  it  holds  that 

[H  h  X  ffl  /i]  =  [H  n  {s,  a,b,x,  z,  z  S  h}  h  x  ffl  h] 

(b)  Let  £  he  a  run  with  a  long  term  secret  s,  Peggy’s  counter  a,  Victor’s  counter 

b,  and  where  Peggy  responds  early.  Then  for  any  H  C  £’(x)  it  holds  that 

[H  h  X  ffl  /i]  =  [H  n  {s,  a,  6}  h  X  ffl  h] 

Lemma  6.3  For  h  =  H (s  ::  a  ::  b)  and  T  C  {z,  zS  h}  it  holds  that 

[x  ffl  /i]^  =  [x,  z  h  X  ffl  /i]^  =  2~^ 

[a,  b,  s,  h  X  ffl  h]  =  1 

[a,  6,  s,  X,  T  h  X  ffl  /i]  =1 

Proposition  6.4  {{s},  {z  ffl  h]}  guards  x  ffl  /i  within  A{x  ffl  h) 

Proposition  6.5  {{x®'^^}}  guards  x  ffl  /i  within  £{x) 

The  guards  displayed  in  the  preceding  Propositions  will  now  be  used  to  evaluate 
Prob(V|A)  and  ProbCPlf),  i.e.  the  probabilities  that  the  authentication  may  fail 
because  the  Attacker  breaks  it,  or  because  Peggy’s  succeeds  in  responding  Tarly. 

6.2  Bounds  on  undesired  runs 

Proposition  6.4  and  the  definition  of  probabilistic  guards  say  that,  for  a  given  chal¬ 
lenge  X,  the  probability  that  an  Attacker  can  violate  authentication  is  bounded 


(16) 

(17) 

(18) 


above  by 


[<I>  h  s]  •  [<I>,  s  h  a:  ffl  /i]  or  by 
[<I>  h  z  ffl  /i]  •  [<I>,  z  ffl  /i  h  X  ffl  /i] 

where  $  =  {a,b,z,z  ffl  h}.  The  first  quantity  is  clearly  negligible.  We  must  show 
the  same  for  the  second. 

Likewise,  Proposition  6.5  implies  that  the  probability  that  Peggy  can  respond 
farly  is  bounded  above  by 

[s,  o,  6  h  x®^^]  ■  [s,  a,  b,  x®^^  h  x  ffl  /i] 

Note  that  in  the  attack  run  A,  the  ylttacker  cannot  learn  x  until  after  she  has 
created  z.  The  distribution  of  z  is  thus  independent  from  that  of  x. 

Proposition  6.6  Suppose  that  the  Attacker,  before  receiving  Victor’s  challenge  x, 
can  pick  her  own  challenge  z  and  obtain  a  single  response  zS  h.  Then  the  stream 
of  expected  probabilities  Prob(V|.4.)  that  the  Attacker  can  deceive  Victor  by  guessing 
X  ffl  /i  is  indistinguishable  from  the  stream  of  probabilities  p  defined  by 

Pi  =  2“^  [x,  z,  z  S  h  \~  X  ffl  /i]  ^  = 

x£Z2 

This  means  that  Prob(V|^)  is  negligible. 

Proposition  6.7  The  stream  of  expected  probabilities  Prob(V|£’)  that  Peggy  can 
deceive  Victor  by  guessing  and  sending  her  response  before  she  receives  the  challenge 
is  indistinguishable  from  the  stream  q  defined  by 

qi=Y,  ^2-^[/ihxfflL]^=('^) 

This  means  that  Prob(V|£’)  is  negligible. 

Note  in  particular  that  this  means  that  in  both  cases  the  stream  of  probabilities 
is  indistinguishable  from  zero,  since  the  stream  is  itself  indistinguishable  from 
zero. 

The  final  result  is  obtained  by  putting  Propositions  6.4  and  6.6  together. 

Theorem  6.8  Suppose  that  the  Hancke-Kuhn  protocol  is  realized  in  such  a  way 
that  it  satisfyes  6.1,  and  does  not  always  fail  for  trivial  reasons:  i.e.,  there  are  some 
sessions  with  an  honest  prover  Peggy  and  an  honest  verifier  Victor.  Formally,  this 
means  that  there  are  C,D  ^  (0, 1)  such  that 

•  Prob(>i),  Prob(£’)  <  C,  i.e.  not  every  response  is  from  an  Attacker,  or  too  Early, 

•  Prob(V)  >  D,  i.e.  Victor  sometimes  observes  a  satisfactory  run  and  accepts. 

Then  Prob(crp)  is  indistinguishable  from  1.  In  other  words,  the  Hancke-Kuhn  pro¬ 
tocol  achieves  authentication  almost  certainly. 


7  Conclusion 


We  have  presented  a  framework  for  extending  algebraic  cryptographic  models  to 
probabilistic  models  and  used  it  to  construct  a  probabilistic  extension  of  the  Pro¬ 
tocol  Derivation  Logic.  We  have  illustrated  it  by  applying  it  to  an  analysis  of  the 
Hancke-Kuhn  distance  bounding  protocol.  We  expect  that  it  will  be  useful  in  the 
analysis  of  many  other  protocols  that  rely  on  weak  cryptography  to  take  advantage 
of  non-standard  communication  channels. 

We  should  also  point  out  that  the  potential  applications  of  our  framework  go 
far  beyond  purely  probabilistic  extensions.  The  main  thing  that  needs  to  be  done 
to  make  our  framework  applicable  to  computational  models  is  to  define  a  notion  of 
feasibly  computable  functions,  so  that  guessing  probability  can  be  defined  in  terms 
of  feasible  function  streams  instead  of  all  possible  function  streams.  We  have  defined 
such  a  notion  and  are  currently  investigating  its  applications  to  protocols.  In  future 
work,  we  expect  to  present  a  more  general  framework  that  can  incorporate  a  wide 
range  of  methods  of  cryptographic  reasoning. 
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A  Appendix:  The  Proofs 

Proof  of  Prop.  4.7.  Let  fc  and  gi  be  randomized  functions.  Consider  the  sets  F  = 
{Xi  I  =  Flxd  and  G  =  {%  | 

Claim  1.  If  for  x,y  €  Af(H,r)  and  rji  such  that  =  [[0]],,£  holds  r]i{x)  = 

gtiy),  then  for  gi,  which  is  equal  to  gi  everywhere  except  on  gi{x)  7^  ge{y),  holds 
that  5£|H,r]]^£  =  |0]]5^£,  for  g  modified  accordingly.  (Intuitively,  separating  two 
pieces  of  input  can  only  provide  more  information,  not  less.) 

Claim  2.  If  =  [Plxd  and  dom(x£)  ^  dom(%),  with  xe{x)  ^  xeiy)  => 

ge{x)  /  %(y),  then  can  be  precomposed  with  a  permutation  to  yield  with 
dom(^)  C  dom(%)  and 

The  consequence  of  these  claims  is  that  we  can  modify  fe  and  g£  to  fi  and  gg  so 
that  #F  =  #F  and  #  =  G. 

Now  let  he{x)  =  fe{x)  ::  ge{x  ::  y).  Since  thus  hglEj^e  =  (flEj^g)  :: 
■■  =  [[r,0]r,£  holds,  we  have 

#{vi  I  fimi  =  iri£}  _  \  =  Me}  < 

2l=T>©U  2l^T,0|«  - 

#{gi  I  hglEje  =  ir,©!^} 
2l=T.©l^ 


The  inequality  [H  h  T]  •  [H,r  h  0]  <  [H  h  T,©]  follows  by  observing  that 

#{%  I  femi  =  iria  _  ^{xi  I  fiiEji  =  [ria 
2l=T.©U  2\^F,U 


□ 


Proof  of  Prop.  5.2.  For  (a),  Xi  =  Zi  yields  fi{xi)  =  fi{zi),  so  we  only  need  to  guess 
at  most  n  —  rii  bits.  For  (b),  Xi  and  Zi  are  bits,  and  n  —  A(x,  z)  of  them  are  equal, 
so  we  only  need  to  guess  at  most  A{x,z)  bits.  □ 

Proof  of  Lemma  5.3.  (/(x))-  =  fi{xi)  =  (x  ffl  (/(O^)  ::  /(l^)))^  holds  by  the 
definition  of  bitwise  partitioned  functions  at  the  first  step,  and  by  (1)  at  the  second 
step.  □ 

Proof  of  Prop.  5.4.  Assumptions  (12)  say  that  the  inequality  Xj  7^  Zi  implies 
[xi,  Zi,  fi{zi)  \~  fi{xi)]  =  [xi  \~  fi{xi)].  On  the  other  hand,  by  definition,  the 
components  of  a  partitioned  function  are  mutually  independent. Hence 


i  I 

[x,zj{z)  h  f{x)]  =  [x,z,f{z)  h  fi{xi)]  =  n  [xi  h  fi{xi)] 

i=l  i=l 

=  1  = 

A{z,x) 

The  other  way  around,  using  (11)  at  the  second  step,  we  get 
l 

n  1“  fi{xi)]  =  [x,z,f{z)  h  f{x)]  = 

i=l 

e 

=  n  N  ^ 

i=l 

which,  with  the  componentwise  independence,  yields  (12).  □ 

Proof  of  Prop.  5.6.  Note  that  for  each  i  £  nh,  the  bit  (x  ffl  h)i  =  /i®  =  does 
not  depend  on  x*.  This  means  that  x  ffl  /i  only  depends  on  x®^^.  □ 

Proof  of  Prop.  5.7.  Guessing  x  ffl  /i  from  z  and  z  ffl  h  can  be  modeled  as  a  version 
of  the  Monty  Hall  problem  [31],  where  Monty  randomly  selects  x  and  h  and  the 
contestant  chooses  2;.  Monty  then  announces  zfflh  and  the  contestant  guesses  xffl/i. 

Since  the  bits  of  xffl  are  independent,  it  is  enough  to  consider  the  case  f  =  1. 
Monty  then  flips  three  fair  coins  to  pick  the  secret  bits  x,h^^\  and  while  the 
contestant  picks  a  bit  z.  Monty  then  announces  zSh  =  .  Should  the  contestant 

now  guess  that  x  ffl  h  =  z  ffl  h,  or  should  he  switch  to  x  ffl  h  =  ->{z  ffl  h)l 
Denote  by  q  the  probability  that  the  contestant  picks  xfflh  =  zfflh.  If 
the  contestant  wins  with  this  choice,  because  the  value  x  ffl  /i  is  the  same  for  every 
X.  Since  and  were  randomly  chosen,  Prob(/i*'®^  =  Otherwise, 

if  then  x  ffl  /i  =  z  ffl  h  holds  if  and  only  if  x  =  z.  Since  x  is  random, 

Prob(x  =  z)  =  |,  and  hence  Prob(/i®  7^  A  x  =  z)  =  |,  because  h® ,  and 
X  are  independent. 

The  probability  that  the  contestant  will  make  a  correct  guess  is  thus 

q  ■  ^Prob  +  Prob  7^  A  x  =  z^^  =  ^ 

To  maximize  this  probability,  the  contestant  needs  ^  =  1,  and  should  thus  stickwith 
Monty’s  bit  z  ffl  h. 

The  proof  for  [z  ffl  h  l~  x  ffl  /i]  differs  just  in  the  detail  that  z  is  not  chosen  by  the 
contestant,  but  obeys  some  unknown  distribution.  However,  x  is  still  independent 
of  z.  Thus  for  some  p,  Prob(x  =  z)  =  Prob{x  =  0)  ■  Prob{z  =  0)  +  Prob{x  = 
1)  •  Pro6(z  =  1)  =  +  ^(1  —  p)  =  ^.  □ 

Proof  of  Lemma  6.2(a).  By  assumption,  the  outputs  of  the  hash  function  H  are 
indistinguishable  from  random  strings,  and  thus  satisfy  [H{u)  T  77(u)]  for  all  u  ^  v. 

Recall  that  A(x  ffl  h)  is  the  union  of  the  contexts  observed  by  the  possible  par¬ 
ticipants  in  the  run  A,  before  xfflh  is  known.  Besides  s,  known  by  Victor  and  Peggy, 


and  a,  b  and  x,  announced  publicly  but  never  reused,  the  context  A{x  ffl  h)  thus 
also  contains  a  single  additional  challenge  z,  issued  by  the  Attacker,  and  the  corre¬ 
sponding  response  zS  h  (provided  by  Peggy  before  she  receives  Victor’s  challenge 
x). 

Moreover,  the  Attacker  may  issue  a  family  Y  C  of  additional  challenges  to 
Peggy,  and  construct  a  list  {by}y^Y  of  the  future  values  of  Victor’s  counter.  To 
each  new  challenge,  Peggy  will  respond  with  y  S  hy,  where  each  response  token 
hy  =  H{s  ::  ay  ::  by)  is  derived  using  a  new  value  of  the  counter  ay.  By  assumption, 
[hy  -L  h\  holds  for  all  y.  Independently  of  the  distance  of  Y  and  the  challenge  x,  the 
responses  y  S  hy  will  provide  no  information  about  xS  h.  In  summary,  the  term 
context  A(x  ffl  h)  is  thus 

{s,  a,  5,  x,z,z  S  h}  U  {y,  ay,  by,  y  S  hy  \  hy  =  H{s.ay.by)  A  y  G  V} 

for  some  Y  C  Z^,  where  a  :  Y  — >  Zg  is  injective,  and  b  :  Y  — >  Zg  arbitrary.  The 
assumption  about  H  implies  \y,ay,by,y^hy  T  x  ffl  h] ,  which  further  tells  that  for 
any  S  C  ^  (x  ffl  h) 

{s,  a,  6,  z,  2;  ffl  h}  n  S  =  0  [H  T  x  ffl  h] 
and  we  are  done. 

The  proof  of  6.2(b)  is  analogous,  but  slightly  simpler,  elaborating  the  fact  that 
obtaining  one  challenge  tells  nothing  about  another  one.  □ 

Proof  of  Lemma  6.3.  Since  h  is  indistinguishable  from  random,  the  bits  of  any 
hi  are  indistinguishable  from  independent.  The  probability  of  guessing  any  chosen 
substring  of  length  £  in  /i  is  indistinguishable  from  2~^.  In  particular,  the  probability 
of  guessing  X£  ffl  h^  for  a  chosen  xi  is  indistinguishable  from  2~^.  Knowing  which 
substring  is  being  guessed  presents  no  advantage,  and  thus  [x^  h  X£  ffl  h^  =  2~^. 
Equations  (17)  and  (18)  follow  from  Prop.  5.6.  □ 

Proof  of  Prop.  6.4.  The  claim  follows  from  the  fact  that  each  set  S  C  .A(x  ffl  h) 
such  that  Adv[H  h"  x  ffl  h]  >0  satishes  at  least  one  of  the  following  inequalities: 

[S  h  xffl/i]  <  [“  h  s]  •  [“,s  h  xffl/i]  (A.l) 

[Z  h  X  ffl  h]  <  [S  h  2;  ffl  h]  ■  [Z,  2;  ffl  h  h  X  ffl  h]  (A. 2) 

According  to  Lemma  6.2(a)  for  each  subset  S  of  A{xSh)  such  that  a  G  H,  it  suffices 

to  consider  the  set  H  n  {s,  a,  b,  x,  2:,  2;  ffl  h}.  Once  the  problem  is  reduced  this  far, 
the  rest  follows  by  case  analysis,  using  Lemma  6.3.  □ 

Proof  of  Prop.  6.5.  The  claim  is  that  each  S  C  f’(x)  such  that  Adv[S  1“  x  ffl  /i]  >  0 
satisfies 

[“  h  X  ffl  h]  <  [“  h  X®'"'*]  •  [“ ,  h  X  ffl  h]  (A.3) 

Lemma  6.2(b)  says  that  it  suffices  to  consider  ffl  n  {s,  a,  6}  if  a  G  ffl.  Thus,  we  only 

need  to  consider  the  subsets  of  {s,  a,  b},  and  since  b  is  deterministic,  this  reduces  to 
the  subsets  of  {s,a}.  The  assumption  that  the  stream  h  is  indistinguishable  from 


random  implies  [H  h  =  2“^  whenever  H  is  a  proper  subset  of  {s,  a}.  So  (A. 3) 

holds  trivially  in  that  case.  For  H  =  {s,  a},  using  Prop.  5.6  and  Lemma  6.3,  we  have 
[H  h  =  [S  h  and  on  the  other  hand  [H,  x®'^^  h  =  1. 

Hence  (A. 3).  □ 

Proof  of  Prop.  6.6.  Since  Prob(x  G  Z2)  =  2“^  by  assumption,  and  [x,  z,  zffl/i  h  xffl 
/i]  =  by  (11),  it  follows  that 


2-'[x,z.z  fB  A  h  I  IS  ft],  =  2-'  .  ^  Q2-'  =  2-'  A 

a:eZ|  *=0  ^  ^ 


e 


□ 

Proof  of  Prop.  6.7.  By  hypothesis  the  token  h  =  H (s  ::  a  ::  b)  is  indistinguishable 
from  a  random  value.  Since  [s,a,6Ax]  also  holds  by  assumption,  [s,a,  6hxffl/i]  = 
[/i  h  X  ffl  /i]  follows,  because  s,a,b  can  only  be  useful  to  derive  h  =  H{s  ::  a  ::  b). 
But  Prop.  5.6(a)  then  implies  that  [s,a,  6  K  xffl  /i]^  =  2*“^,  where  i  =  |k/i|.  The 
expected  value  that  Peggy  will  guess  x  ffl  /i  are  averaged  over  the  possible  values  of 
h,  and  hence 


Y,  22-'[ft|-i[Bft],=  2-C^(b2<-'  =  2-2'.3' 


□ 


Proof  of  Thm.  6.8.  By  (15),  to  prove  the  Theorem,  it  suffices  to  show  that  both 
Prob(A|V)  and  Prob(f’|V)  are  negligible.  The  Bayes’  Theorem  and  the  hypotheses 
imply 


Prob(A|V)  = 


Prob(V  I  A)  ■  Prob(.4)  ^  Prob(V  \  A)  ■  C 


Prob(V)  “  D 

Since  Prob(V|A)  is  negligible  by  Prop.  6.6,  Prob(A|V)  is  negligible  too.  The  fact 
that  Prob(f’|V)  is  negligible  follows  in  the  same  way  from  Prop.  6.7.  □ 


